Blog Post

Azure SQL Blog
4 MIN READ

Enable Azure Key Vault Purge Protection for TDE BYOK in Azure SQL DB and MI

Shoham Dasgupta's avatar
Feb 17, 2022

Transparent data encryption (TDE) in Azure SQL Database and Managed Instance helps protect against the threat of malicious offline activity by encrypting data at rest. TDE with Customer-Managed Key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, leveraging Azure Key Vault or Azure Key Vault Managed HSM.

Soft-delete and purge protection are Azure Key Vault features that allow recovery of deleted vaults and deleted key vault objects, reducing the risk of a user accidentally or maliciously deleting a key or a key vault.

  • The soft-delete feature is on by default for new key vaults and can also be enabled using the Azure portal, PowerShell or Azure CLI. When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default) and can be recovered during that period.
  • Purge protection is not enabled by default and can be turned on using the Azure Portal, Azure CLI or PowerShell. When purge protection is enabled, a vault or an object in the deleted state cannot be purged until the retention period has passed. The default retention period is 90 days, but is configurable from 7 to 90 days. It is important to note that Purge Protection is designed so that no administrator role or permission can override, disable, or circumvent purge protectionOnce purge protection is enabled, it cannot be disabled or overridden by anyone including Microsoft. This means you must recover a deleted key vault or wait for the retention period to elapse before reusing the key vault name.

Today, most Azure services that integrate with Azure Key Vault, such as Storage, require enabling soft-delete and purge protection on the key vault when using keys for encryption to prevent data loss.

 

Until now, TDE with CMK in Azure SQL has required soft-delete to be turned on for the key vault. Purge protection has been strongly recommended but not a requirement when configuring TDE with CMK in Azure SQL. 

Note – The terms “Azure Key Vault” and “key vault” in this article refer to both Azure Key Vault and Azure Key Vault Managed HSM.

 

What’s Changing

Starting April 2022, Azure SQL will require both soft-delete and purge protection to be enabled on the key vault when configuring TDE with CMK on the server or managed instance.

While updating the TDE Protector on an existing server or while configuring TDE with CMK during server creation, Azure SQL will validate that the key vault containing the encryption key being used as TDE Protector has purge protection, in addition to soft-delete, turned on.

 

How does this change benefit me?

Accidental or malicious deletion of a key vault can lead to permanent data loss. When the SQL server or managed instance loses access to the key, the database goes into “Inaccessible” state. A malicious attacker can potentially delete and purge key vaults or keys, thereby restricting access to your databases.

Enabling purge protection on the key vault is an important safeguard that protects you from such incidents by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.

 

Does this change affect me?

If you already have purge protection turned on for your key vaults, you are not affected. Additionally, existing servers and managed instances already configured with TDE with CMK are also not impacted.

If you do not have purge protection turned on for your key vault and you attempt to set a key from the same vault as the TDE Protector for your server or managed instance (either an existing one or during creation) you will receive an error message indicating that purge protection needs to be enabled on the key vault.

Note – The purge protection requirement is validated when configuring the TDE Protector, either at server creation or when updating TDE Protector on an existing server.

In such cases, first enable purge protection on the key vault and then re-try the operation.


How do I find out if I need to take action?

Use the “Key vaults should have purge protection enabled” built-in Azure policy to audit your key vaults to determine which ones do not have purge protection enabled.

 

What action do I need to take?

Turn on purge protection on your key vaults where it is not already on. Purge protection is not enabled by default and can be turned on using the Azure Portal, Azure CLI or PowerShell.

 

If you use an automated script to create new key vaults, update the script to ensure that purge protection is being set to 'true' when creating the key vault.

 

When do I need to take action?

Please enable purge protection on your key vaults before March 31st 2022. After this date, the purge protection requirement will be rolled out for Azure SQL Database and Managed Instance, and purge protection will need to be enabled on the key vault when configuring the TDE Protector.

 

Learn More

 

 

 

 

Updated Feb 17, 2022
Version 2.0
No CommentsBe the first to comment